CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.
Last updated
Overview
Chip designers often include design elements in a chip for debugging and troubleshooting such as: Various Test Access Ports (TAPs) which allow boundary scan commands to be executed. Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip. Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
- Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain
- Step 2Experiment
[Connect to debug interface] The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.